Worried of Mac Malware Spying on You? Here’s How to Get Rid Of “Dok” That Takes Complete Control of Your Mac

New Mac malware can target all versions of macOS and will take complete control of your Mac, security researchers warned last week. Dubbed “Dok,” this malware can spy on OS X users, follow their browsing history and internet traffic, including HTTPS traffic. Wondering what to do if you get infected? Follow these steps.

Dok malware has a thing for victim’s internet traffic and admin password

A McAfee Labs report had revealed earlier in the year that targeted attacks on Macs were up 744% in 2016, showing the increasing efforts of the criminal hacking community. While still nowhere close to the Windows numbers, black hat hackers are no longer exclusively targeting Windows, breaking the myth that Macs are safer than Windows. Like many attacks on Windows, Mac malware also requires some actions taken by the victims, which makes it absolutely critical to focus on user awareness of these attacks.

Researchers at CheckPoint revealed that the new OSX/Dok malware is signed with a “valid developer certificate (authenticated by Apple), and is the first major scale malware to target OSX users via a coordinated email phishing campaign.”

The attack appears to be mostly targeting European users, with one phishing email tailored to Germans, sending a message talking about inconsistencies in the user’s tax returns. Once OSX/Dok infection is complete, the attackers gain complete access to all victim communication, including communication encrypted by SSL,” CheckPoint wrote. “This is done by redirecting victim traffic through a malicious proxy server,” using a MitM attack capable of eavesdropping victim’s internet traffic.

Undetectable Mac malware asks for login details

This malware is also completely undetectable, having zero detections on VirusTotal. Once activated through the email attachments, the malware copies itself to the /Users/Shared folder and shows a pop-up message to the user that the attached document “is damaged” and cannot be opened.

The malware then tries to get user passwords by showing a screen that is disguised as a macOS security update downloader and persists, with user unable to do anything until they click on the “Update All” button. Even a restart doesn’t get rid of this screen. Once the password is entered, the malware gets administrator privileges that are used to download and install a Tor client (helping the attackers to remain anonymous), a new root certificate, and other updates along with altering network settings and redirecting traffic through a server.

This way, all the traffic is up for grabs, including the SSL encrypted traffic. The problem is serious as “everything” can be seen by the criminals, including bank details.

“The impact on business could be much more severe, as it could expose information that could allow an attacker to gain access to company resources,” Malwarebytes wrote. “For example, consider the potential damage if, while infected, you visited an internal company page that provided instructions for how to connect to the company VPN and access internal company services. The malware would have sent all that information to the malicious proxy server.”

How to stay safe and remove Dok Mac malware

Good news, as mostly is the case, is that you won’t be affected if you don’t open .zip files that come your way from strangers or even friends who might themselves be infected. While we may want to believe that people no longer fall for this decades-old phishing scam, as is evident, many still do. However, with Dok there are a number of red flags, including the first zip file and then the demand of your login details.

But, what to do if you have fallen for the trap? If you managed to download the zip attachment file and then went for the update all button and gave your passwords, here is how to get yourself out of this mess.

Open System Preferences.

Next, click on Network and select your internet connection.

Click Advanced > Proxies tab > Automatic Proxy Configuration.

Here, delete the URL http://127.0.0.1.5555..

Also, delete the two LaunchAgents installed by Dok:

/Users/%User%/Library/LaunchAgents/com.apple.Safari.proxy.plist

/Users/%User%/Library/LaunchAgents/com.apple.Safari.pac.plist

Finally, delete the fake signed Apple Developer certificate:

Launch Finder > Applicatons.

Open Utilities folder > double-click on Keychain Access.

Now select the certificate named COMODO RSA Secure Server CA 2.

Right click on the Certificate and click on Delete Certificate.

Confirm with Delete.

Again, just give a second thought before opening attachments from strangers and you will have a lot less to worry about.